dcsimg
Setting up a Tomcat realm to authenticate by LDAP over SSL
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Darek_Maciborek
Posted On:   Monday, January 10, 2005 06:06 AM

Hi. I'm developing a Struts app that uses LDAP for authentication and authorization. Previously I was using a non-ssl LDAP an everything worked fine. I had a realm defined (in config.xml): className="org.apache.catalina.realm.JNDIRealm" debug="99" connectionURL="ldap://non_ssl_ldap:389" userBase="ou=people, dc=int" userSearch="(uid={0})" roleBase="ou=roles, ou=lunchtool, ou=applications, ou=logicalgroups, dc=int" roleName="cn" roleSearch="(uniqueMember={0})" /> But now there is a new LDAP which is ssl-secured. So I changed the realm definition to:    More>>


Hi.
I'm developing a Struts app that uses LDAP for authentication and authorization.

Previously I was using a non-ssl LDAP an everything worked fine. I had a realm defined (in config.xml):


			

className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://non_ssl_ldap:389"
userBase="ou=people, dc=int"
userSearch="(uid={0})"
roleBase="ou=roles, ou=lunchtool, ou=applications, ou=logicalgroups, dc=int"
roleName="cn"
roleSearch="(uniqueMember={0})" />



But now there is a new LDAP which is ssl-secured. So I changed the realm definition to:


			

className="org.apache.catalina.realm.JNDIRealm"
debug="99"
connectionURL="ldap://ssl_ldap:636"
userBase="ou=people, dc=int"
userSearch="(uid={0})"
roleBase="ou=roles, ou=lunchtool, ou=applications, ou=logicalgroups,, dc=int"
roleName="cn"
protocol="ssl"
roleSearch="(uniqueMember={0})" />



And the LDAP address is the only thing I changed in the whole project. I'm building the project using maven-1.0.2 and deploying on Tomcat-5.0.27.

But now when I try to deploy the app I get an error:


			
FAIL - Encountered exception java.io.IOException: java.lang.IllegalStateException:
ContainerBase.addChild: start: LifecycleException: Exception opening directory server connection:
javax.naming.CommunicationException: localhost:389 [Root exception is java.net.ConnectException:
Connection refused]


Since the address is OK, and I can connect to the server using JXplorer I figured out that it may be caused by lack of certificates configuration.


Over the last two days I tried to search web, books, tutorials, etc. for an answer how to do it but nothing worked. So I'm really frustrated by now.


I know that the LDAP server has a self-signed certificate, so I'd like to ask You what steps need to be performed on the LDAP server side and on my Tomcat side to set up the certificates properly.


Any answer will be much appreciated.

   <<Less

Re: Setting up a Tomcat realm to authenticate by LDAP over SSL

Posted By:   Anonymous  
Posted On:   Tuesday, February 1, 2005 04:42 AM

Darek,

you have to add your root/ca certificate to the cacerts file of the jre. It can be found in your $JAVA_HOME/lib/security directory. Use the java keytool command to add the certs. I'm using tomcat5.5 and jre1.5.0_01.


Hope this helps.

Dirk

About | Sitemap | Contact